Caching with DNSMasq and optionally with DNSSEC
DNS lookups can slow down any system they aren’t quick enough. Or if you have a server that’s doing reverse lookups.
So instead of your computer or server making hundreds or thousands of unneeded dns requests.
The config for dnsmasq is in /etc/dnsmasq.conf
Here’s some of the configurations I like to use.
This is where we set the file that will have the actual dns servers
Never forward plain names (without a dot or domain part)
Never forward addresses in the non-routed address spaces.
If you use OpenDNS servers, set this do use servers in order.
Also, if you use OpenDNS, you’ll need this line so it doesn’t redirect google queries
If you have your dns on a remote server, using something like OpenVPN or ssh to route your traffic, you’ll need to bind it
Now put your actual dns servers in /etc/resolv.dnsmasq.conf
# OpenDNS IPv4 nameservers nameserver 188.8.131.52 nameserver 184.108.40.206 # OpenDNS IPv6 nameservers nameserver 2620:0:ccc::2 nameserver 2620:0:ccd::2
And change your /etc/resolv.conf to be 127.0.0.1
You may also have to disable NetworkManager from changing the dns: In /etc/NetworkManager/NetworkManager.conf
[main] #dns=default dns=none
Domain Name System Security Extensions (DNSSEC) is a set of additions to the dns protocol to make it more secure. It uses the domain’s signed requests to make sure they are actually valid.
In the /etc/dnsmasq.conf add or uncomment these lines to enable DNSSEC.
Now some replies are not DNSSEC signed but may still be may be legitimate, because the domain is unsigned, or may be forgeries. This setting will have dnsmasq do some various checks to see if it’s still looks valid. Now this will take a few more dns lookups, but it’s good for security.
The above trust-anchors.conf file is from the main trust using the values from https://data.iana.org/root-anchors/root-anchors.xml
The current one I have is (which you can verify at the above url:
# The root DNSSEC trust anchor, valid as at 18/03/2016 # Note that this is a DS record (ie a hash of the root Zone Signing Key) # If was downloaded from https://data.iana.org/root-anchors/root-anchors.xml trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
To verify if the DNSSEC is working, got to https://www.dnssec-tools.org/